[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [gnu-prog-discuss] Introducing GNU Guix

From: Ludovic Courtès
Subject: Re: [gnu-prog-discuss] Introducing GNU Guix
Date: Fri, 23 Nov 2012 22:52:52 +0100
User-agent: Gnus/5.130005 (Ma Gnus v0.5) Emacs/24.2 (gnu/linux)

address@hidden (Niels Möller) skribis:

> address@hidden (Ludovic Courtès) writes:
>> The TODO item about signatures is to verify the OpenPGP signature that
>> comes with GNU packages.
> I see, then you don't have much choice on signature format. And I agree
> it's a useful feature.

Yes, though one could wonder how much it buys us if the committers are
trusted to have verified that they downloaded a genuine package when
they commit a file with the SHA256.

> You might like expressing authorizations as sexps (and I guess its
> possible to use the spki machinery even with alien input formats like
> openpgp).
> I was thinking of using spki delegations for things like "this key can
> authorize installation of packages from these urls" or "this key is
> authorized to install files in this subtree in the file system". But I
> haven't thought carefully about how that should work.

Hmm, OK.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]